You’ve probably heard about GDPR and received lots of emails from companies asking whether or not you consent to them retaining your information for future use. That’s because a new law kicks in, the EU General Data Protection Regulation (GDPR). The GDPR document is 88 pages and 50,000 words long. It replaces the previous 1995 Data Protection Directive 95/46/EC. Its intention is to harmonize data privacy laws across Europe following the recent privacy scandals such as Cambridge Analytica.
The General Data Protection Regulation was adopted and approved in 2016 and comes into force May 25th, 2018.
You’re probably wondering so what does this mean?
The regulation reshapes what it means to do e-commerce in Europe, and it applies wherever you’re based. So if a company based outside the European Union deals with customers inside there are safeguards in place on what can and cannot be done with personal information.
Companies and organisations that are in breach of the terms of the regulation faces penalties of up to 20 million euros or 4% of their gross annual turnover, whichever is higher.
Key changes to the previous law:
Increased terrestrial aeroscope- this basically means that the law is enforceable to companies processing the personal data of European Union subjects no matter where you are. So if you deal with European Customers you must be compliant with the law or you risk facing penalties.
This leads us on to the next key change. Penalties. Companies found to be in breach of the GDPR regulations risk facing hefty fines up to 20 million euros of 4% of their gross annual turnover.
Finally, the principle ideology behind the creation of the regulation is, consent, consent should be at the forefront of collecting private information about subjects. Consent must be freely given and transparent, so no pre-ticked boxes and long terms and conditions before reaching a box. The option to opt-in or opt-out must be clearly indicated and visible to the subject.
Article 5 of the GDPR sets out the main responsibilities of GDPR as:
- It is processed, fairly, lawfully and transparently
- The information must be for a legitimate purpose- It must not be used for beyond its original purpose.
- Only data relevant to the purpose can be collected and nothing more- this means that companies can’t retain information they don’t need so if a company doesn’t need information about your work or who you voted for then they must not keep it.
- Information must be accurate and where necessary, kept up to date
- It is kept in a form which allows identification of subjects for no longer than is necessary
- Data must be processed in a manner that ensures the security of the personal and sensitive data
So what are your rights?
You have the right to be informed about how your personal information will be used and stored. For organisations, this means that they will have to inform you of the purposes of retaining your information and the retention period for which it is kept as well as who it will be shared with.
You have the right of access this means that you have a right to access your personal data and you can do so verbally or in writing. Companies will then have 30 days to respond and they cannot charge a fee to deal with a request.
You have the right to rectification, essentially this means that you are able to change inaccurate information.
You have the right to erasure, this means that you can request for your information to be deleted. However, this right is not absolute and only applies in certain circumstances.
You have the right to restrict processing, this means that you can limit the ways in which a company uses your information.
You have the right to data portability, so you are able to obtain and reuse your personal information data for your own purpose across different servers.
You have the right to object, this means that you are able to stop your data being used for direct marketing. Moreover, you can object on the basis of other grounds however the right is not absolute and is restricted.
You have rights in relation to automated decision making and profiling, this means you are able to make your decision entirely on your own without influence from others.
So you’re probably wondering by now, why does it matter? It matters for a lot of reasons, the main reason is privacy. People in Europe like to be private and the new regulation gives people control over the collection and retention by companies of their personal data.
What should you do?
If you own a business or company, it is important to ensure that you have consent to retain and obtain the personal information and data of subjects by implementing the necessary data protection frameworks.
Finally, one thing to note in terms of GDPR is consent, subjects must consent freely, without consent companies and organisations risk penalties and will be in breach of the regulation.